KR20170053179A - Light based wireless security system - Google Patents

Abstract

A light-enabled security system for allowing a user device to access a file or data on a network, wherein each user device has a user ID and each file / data has a file / data ID. Wherein the system has a plurality of optical-enabled user access points for allowing access to the network over an optical communication channel, each optical-enabled user access point being associated with a unique location ID, Wherein the network access request includes the user ID, the unique user access point location ID, and the requested file ID. The system receives the network access request and uses a network access request to determine whether access to the file / data is permitted or denied based on the user ID, the location ID and the file ID.

Description

[0001] LIGHT BASED WIRELESS SECURITY SYSTEM [

The present invention relates to wireless security. Especially for light based wireless security.

Internet access significantly improves the productivity of an organization. However, it also creates a path for potentially malicious actors to penetrate the network through hacking and social engineering. Thus, correspondingly, administrators divide network access to limit access for all users to a specific sub-set. This increases security by restricting the organization's attack surface and exposure, while it does not address human users, the most vulnerable aspects of the cyber security chain.

Most successful network intrusions are caused by human factors in the security chain. More than 45% of the worst security breaches in the company were the result of human error, according to a 2013 information security breach investigation conducted by PWC for the British Government's business innovation and technology department. There are also a number of articles that show that social engineering, which helps humans to help you, is the easiest way to hack an organization. Thus, in addition to introducing system-level encryption for employee devices, organizations also use statistical pattern-aware models of employee behavior to optimize their security. In an attempt to detect abnormal events, an important research goal is to create a user behavioral model that tracks and correlates data. The range of user data ranges from GPS location to network access and file / Internet browsing characteristics. However, data analysis is tedious and time-consuming. Thus, many state-of-the-art malware and intrusion detection algorithms alert after the system is compromised.

Accordingly, similar to how banks monitor customer transactions, organizations are deploying algorithms to monitor their network and employee behavior. To facilitate these models, organizations want to keep track of the exact location of their employees and assets while they are on the premise that only the right individuals are accessing the right information from the right location at the right time. Physical access controls such as biometric control doors and closed-circuit TV cameras are often used to partition the indoor environment. However, such segmentation limits activity within the organization and is not advantageous for real-time asset tracking. Current indoor positioning is inaccurate, and even in recent tracking protocols, wireless access points connected to the network backbone are needed. These can be vulnerable points and vulnerable to sniffing and penetration.

In the present invention, a light enabled security system is provided that allows a user device to access files or data on a network.

According to a first aspect of the present invention there is provided an optical enabled security system that allows a user device to access files or data on a network, each user device having a user ID, The system has a plurality of optical-enabled user access points for allowing access to the network over the optical communication channel, and each optical-enabled user access point is associated with a unique location ID Wherein the network access request is operable to configure a network access request in response to a file / data request from a user device, the network access request including a user device ID, a unique user access point location ID, a requested file ID, Based on the user ID, the location ID, and the file ID, It includes a system suitable for use with the network access request to determine whether Suga allowed or denied.

Suitably, a plurality of light-enabled portable user devices are presented to communicate with the access point using light, each device associated with a unique user ID.

The present invention utilizes a light-enabled Li-Fi network. It introduces a bridge between physical and cyberspace. Li-Fi uses visible light for communication. Visible light, including near ultraviolet and infrared wavelengths, can not penetrate opaque objects, which means that the radio signal is confined within strictly limited illumination areas. The ability to limit the communication area of a Li-Fi access point allows precise partitioning of the environment. In addition, the technology requires proprietary hardware before a person can access the system. Finally, a cellular-deployed Li-Fi network can be used to improve asset tracking within an organization and to improve deployed user behavior statistics as well as to precisely limit user network access.

All users are easy to move by using dedicated optical-enabled portable user access devices or desktop units as tokens. Also, the number of possible active users can be tightly monitored and controlled because all users require a desktop unit to access the network.

Each light-enabled portable user device transmits light to a light-enabled user access point using light of a first wavelength and light from a light-enabled user access point at a second different wavelength. The advantage of this is that there is no possibility that one employee will be able to listen to information transmitted from another employee to the server, since the uplink communication is on a different frequency than the downlink. In this embodiment, all desktop units (and access points) have a built-in transceiver that allows bi-directional communication.

Another advantage is that all files have a concurrent "double gate lock system". One gate is unlocked with an outdated / conventional authentication method, while the other gate is associated with a particular location of the device requesting access to the file, i. E., The combination of the particular access point and user device requesting access As shown in FIG. The position control gate may be in a stand-alone, physically separate server. In this way, the likelihood of network intrusion is significantly reduced as long as physical assets are protected. It also creates a barrier that allows external network access to employees while preventing network intrusions from outsiders.

Network access can be controlled to allow file access only if the device is connected to a Li-Fi network. If users are connected to the Li-Fi network, they can download or modify certain files on their devices. The downloaded files can be encrypted. For example, files may be encrypted with a high level of hardware facilitated encryption at the access point where they are accessed, along with software that monitors the connection to the network. As soon as the user disconnects from the Li-Fi access point, the network control software can completely delete any trace of the file and work session or leave an encrypted copy of the work session. This results in files that are (potentially already downloaded) inaccessible except when they are connected to the particular access point that they download. Thus, any file access may require a user to be connected to the Li-Fi network, while preventing external access to the network and thus minimizing the attack vulnerability of the organization.

Additional forms of hardware-accelerated encryption may be available through desktop units (unlike access points). By facilitating hard-coded encryption / decryption in the desktop unit, it is possible for files on the network to be protected from access by any desktop unit except for the intended desktop unit. This can be done in two main ways, where (hardware-based) files can be uploaded from the desktop unit to the network, and the desktop unit encrypts the files so that they can only be accessed from the same desktop unit Software-based) public key of the intended desktop unit may be used by another device to encrypt the file upon uploading to the network, so that again, only the intended desktop unit having access to the associated private key can access the file Access.

In fact, two layers of hardware enable encryption can be implemented. Access point encryption connects access to a specific location, and desktop unit encryption connects access to a specific user or device.

The system of the present invention may be adapted to identify the current location of the user device, define a group or set of optical enabled access points in the vicinity of the user device to which access is permitted, and store the details of the group. Any device that can be connected to the network can be located and tracked. This enables the implementation of so-called geo-fencing in which movement and connection of all devices is monitored and the physical access area of the device is currently connected and restricted to adjacent access points. Access to the files may be enabled only under designated Li-Fi access points. Asset tracking can also be implemented based on geofencing principles.

The security system of the present invention may be adapted to store information related to a user's use of the system and to utilize the information to identify potentially anomalous behavior. Statistical models of user behavior can be developed based on monitoring the network activity of users as well as the movement patterns of employees using them. Employee behavior can be monitored in a more accurate and more informative manner due to the localization information provided by the Li-Fi network. This modeling can significantly improve system security by paying attention to the anomalous effects in real time rather than post processing.

The system may include a plurality of light-enabled portable user devices for communicating with an access point using light, each device associated with a unique user ID. Each optical enabled portable user device may be operable to transmit to a light enabled user access point using light of a first wavelength and to receive light of a second different wavelength from light enabled user access points .

A number of secure wireless networks may be defined using optical-enabled user access points, where each access point may be defined by a physical structure, such as a wall or ceiling, Lt; RTI ID = 0.0 > coverage. ≪ / RTI >

The system may be adapted to determine whether access is authorized or denied using (1) the user ID and file ID, and (2) the user ID and location ID. In this example, the system includes a first processor or server adapted to determine whether access is authorized or denied using a user ID and a file ID, and a second processor or server adapted to determine whether access is granted or denied Lt; RTI ID = 0.0 > and / or < / RTI >

The system may first determine whether access is authorized or denied using the user ID and file ID, and then may be adapted to determine whether access is authorized or denied using the user ID and the location ID.

The system may be adapted to determine whether access is denied or denied using (1) a user ID and a file ID, and (2) a file ID and a location ID. In this example, the system includes a first processor or server adapted to determine whether access is authorized or denied using a user ID and a file ID, and a second processor or server adapted to determine whether access is permitted or denied Lt; RTI ID = 0.0 > and / or < / RTI > The system may first be determined to use the user ID and the file ID to determine if access is authorized or denied, and then use the file ID and location ID to determine whether access is authorized or denied.

The system may be adapted to identify the current location of the user device, define a group or set of optical-enabled user access points proximate to the authorized user device, and store the details of the group.

The system may be adapted to continuously monitor the location of the user and update the group or set of optical-enabled user access points for which access is authorized.

The system may be adapted to identify an attempt to access the network from an access point outside a defined group or set of optical enabled user access points located near the user device. The system may be adapted to generate an alert indicating an illegal access if an attempt to access the network is identified.

The system may be adapted to store information related to a user's use of the system and to utilize the information to identify potentially anomalous behavior.

The system may store details of the location of the user device and thus be adapted to make the user device traceable. Each access point may be associated with an indoor location, e.g., a particular room or area within a building.

At least one optical-enabled access point may be associated with the encrypted file, and decryption of the file may be possible only when connected to the at least one light-enabled access point. The at least one light-enabled access point may be operable to encrypt the file.

The at least one light-enabled access point may be operable to delete a file from the user device if the connection between the user device and the access point is broken.

In case the connection between the user device and the access point is broken, only the encrypted file may be available using the user device.

At least one user device may be associated with the encrypted file or data, and the file or data may be accessed only by the user device.

The at least one user device may comprise encryption and / or decryption hardware or software.

Each user access point may be adapted to receive light of different wavelengths, where each wavelength is associated with another level of access.

According to another aspect of the present invention there is provided a light-enabled portable user device for use in the system of the first aspect described above, the device being operable to transmit a user ID and a file ID with a network access request.

According to the present invention, an optical enabled security system may be provided that allows a user device to access files or data on the network.

BRIEF DESCRIPTION OF THE DRAWINGS Various aspects of the present invention will now be described, by way of example, with reference to the accompanying drawings.
1 is a block diagram of a visible light enable security system.
2 is a schematic view of a physical security aspect of a visible light enable system.
3 is a block diagram of a dual gate access system.
Figure 4 is a flow diagram illustrating a method for performing a dual gate access using the system of Figure 3;
5 is a block diagram of a geofencing access system.
Figure 6 is a flow diagram illustrating a method for performing geofencing access using the system of Figure 5;
7 is a block diagram of a behavior analysis system.
Figure 8 is a flow diagram illustrating a method for performing behavioral analysis access using the system of Figure 7;

The present invention provides a light-enabled access system that utilizes light as a secure network access point. All lights must be Li-Fi enabled. Each Li-Fi access point is connected to a cable network that delivers data and network access. This cable hypothesis can also provide power to a Li-Fi access point, also referred to as a ceiling unit. Each ceiling unit is connected to one or more LED lighting fixtures that modulate light to supply power and transmit data. The physical connectivity of the ceiling units depends on the logical partitioning of the environment. After installation of the ceiling units, each user is assigned a desktop unit. Each desktop unit facilitates hardware enable encryption. Each desktop unit has a receiver for receiving the visible light signal of the first wavelength from the ceiling units and a transmitter for transmitting to the ceiling unit at the second wavelength. Each ceiling unit has a transmitter for transmitting the visible light signal of the first wavelength to the desktop unit and a receiver for receiving the second wavelength from the desktop unit.

To avoid doubt, and throughout this patent, "visible light" will refer to electromagnetic waves of wavelengths between 10 nm and 2500 nm, including ultraviolet, visible and near infrared wavelengths.

Figure 1 shows a Li-Fi access system, network and network control system. The system has a number of Li-Fi enabled LED lamps 1 that function as a wireless access point that allows access to the network 3 to the user Li-Fi desktop unit 2. A ceiling unit (not shown) is associated with each light / lamp. The network 3 may be accessed via each access point 1 within an area or "coverage area" where the access point illuminates. Each ceiling unit is connected to the network 3 via an Ethernet cable and interfaces directly with the IP layer. The ceiling unit utilizes visible (white) light generated for illumination as a communication medium.

Each Li-Fi desktop unit operates to be connected to the computing device via, for example, USB to provide access to the network to a computing device (e.g., laptop, tablet, smartphone, etc.). The desktop unit receives the information signal transmitted through the white light signal and supplies it to the device. The desktop unit uses an infrared LED to communicate the uplink channel to the Li-Fi ceiling unit. A plurality of desktop units can access the same ceiling unit at the same time and the desktop unit can move to the coverage area of another ceiling unit without disconnecting it from the coverage area of one ceiling unit.

The network 3 is composed of interconnection of Ethernet switches and cables, and exchanges data with all the access points 1. Secure access to the network 3 is provided through Li-Fi ceiling units (and direct Ethernet ports). The network 3 is configured with a star topology, with a single Ethernet cable serving each ceiling unit.

Connected to the network 3 is a central system with a file system / server 4, a location access server 5, a network security system 6, and a data and analysis server 7.

The file system / server 4 is the main host of all the files to be accessed by the user of the system. This includes both secure and non-secure files. The file system / server 4 may be configured to provide access to any portion of the file system, such as a file system, Microsoft Active Directory, etc., ), Dual authentication, and other aspects.

To control secure access to the network 3, a location access server / controller 5 is provided. It hosts location-specific (IP / MAC address of allowed ceiling units in case of Li-Fi) access qualifications of all individual files (location-locked). It also hosts each user's location specific access entitlements, i.e., the user is authorized to access the network 3 from the ceiling unit. The former information is used for double gate locks, and the latter information is used for geofencing. This will be explained in detail later.

When the user attempts to access a particular file from a particular access point, the file system / server 4 queries the location access server 5 with a user ID, file ID, location ID (access point IP / ID) query. The location access server 5 can determine whether a file (associated with the file ID) can be accessed from a particular access point (associated with the location ID), or if the user (associated with the user ID) Or whether they are both above. Thus, the location access server 5 is a key configuration for location based network access. The output of the location access server 5 is a binary value indicating an acknowledgment or denial of access. In this way, the location authentication information on the server 5 is kept protected.

The network security system 6 monitors, detects and protects the system from security violations and illegal data access.

To store access statistics of users, files, locations, a data and analysis server 7 is provided. Other parameters such as access time, device (s), etc. are stored in the data and analysis server 7. At this server, the analysis is performed on the collected data to provide a statistical model of the access behavior of the system users as well as the files and access locations. The data and analysis server 7 simply monitors activity in the network 3, uses a developed statistical model for anomaly detection, and sends a warning of potential security breaches.

The use of visible light has many attractive characteristics in wireless communication space, particularly in terms of network security. From a very basic point of view, the non-penetrating nature of the light limits the wireless network to the area being illuminated. In a very secure environment, this results in a wireless network literally contained within "four walls". Fig. 2 (a) shows this, where the solid wall blocks penetration of the optical signal. The non-penetrating characteristics of the light sufficiently reduce the risk of illegal access via wireless connections. Another security feature of Li-Fi is to physically separate the downlink and uplink radio channels into different wavelengths. Since each desktop unit is designed to capture only visible light signals of a particular wavelength, a motivated attacker attempting to listen to another user's communication can access only half of the transmitted information (i.e., downlink). This is depicted in Figure 2 (b).

In general, strengthening the security of the file system can be achieved by reducing the attack surface of the network 3. This means to minimize the physical area of access to the network 3 as well as the number of applications on the user device. This can be done on files of a certain class in the file system 4, and with Li-Fi, the other set of security files have completely separate physical access areas. This results from the directed and non-perturbing nature of the visible light downlink signal, which allows precise identification of the physical access area. This is done by creating for each file a set of (Li-Fi) access points that are allowed access to a specific file. Attempts to access the file from any other access point outside the allowable set will result in access being denied (even if the user is authorized to access the file). The location-based access criteria are stored in the location access server 5, and the location access server is a completely physically independent server that handles location-based queries solely.

Figure 3 shows a system for double gate locking. This has the ceiling unit 1 and the desktop unit 2. User and location authentication is performed by the file server and the location access server, respectively. As can be seen in FIG. 3, a typical message exchange protocol for double gate locking involves four five information exchanges. First, a user with a specific user ID requests access to a file having a specific file ID from the Li-Fi access point 1 to which the file is currently connected. This can be done by sending a user data request to a connected Li-Fi access point, and the user data request includes a user ID and a file ID. The access point has a specific location ID (access point IP / MAC / ID). The access point receives the user data request from the user device and uses the user data request to configure the access request including the user ID, the file ID, and its own location ID. This access request is sent to the file system 4. The file system 4 authenticates whether the user is authorized to access the file using the user ID and the file ID. Otherwise, the system 4 denies data access. If the authentication is successful, the file system 4 sends the file ID and the location ID to the location access server. The location access server 5 checks whether the file is accessible from an access point having a specific location ID. It responds to the file system 4 in binary yes / no response. The file system 4 can be used only when both the user ID (as judged by the file server) and the location ID (as judged by the location access server) are allowed to access the file and only when the Li-Fi access point 1 And the desktop unit 2 to the user. Otherwise, access to specific data is denied. Figure 4 shows a flow diagram depicting the above information flow.

Physically separate multi-layered security access can be implemented. In this case, other wavelengths may be used to separate different levels of access. For example, a technician may have a desktop unit adapted to green light, while security personnel may be suitable for blue light, and an upper manager may be suitable for red light. Available information is strictly limited and widely available on separate channels using the same infrastructure.

Another approach to minimizing the physical access area and consequently the attack surface of the network 3 is to limit the number of access points for which a particular user is allowed access from the access point to the network. This is called Geo-Fence. In Li-Fi, Geo-Fencing allows the network to restrict each user's access to the network to only the CU / access point to which the network is currently connected and the access point immediately next to that access point. It performs two primary purposes. The access network for a particular user ID at any given time is reduced to a small subset of the entire network 3. [ This significantly reduces the opportunity for motivated attackers with stolen user credentials to access the network. Nearby access points are driven to allow movement from one access point to the next access point, at which point the new access point and its neighboring access points become access areas. This facilitates network access along with the user through the Li-Fi network. This is done by creating a set of various (Li-Fi) access points that are allowed to access the network 3 for each user ID. Attempts to access network 3 from other access points other than the allowable set and attempts to access the file are denied. The access points forming the geofence of each user are stored in the location access server and are continuously updated with all handovers experienced by the user when traveling through the network 3. [

Figure 5 shows a system for Li-Fi geofencing. As before, it has multiple ceiling units / access points and a desktop unit for each user. User and location authentication are performed by the file server 4 and the location access server 5, respectively. Figure 5 shows a typical message exchange protocol for geofencing. This includes six information exchanges. A user with a specific user ID requests access to a file on the network from the Li-Fi ceiling unit / access point 1 to which the network is currently connected. This is done by sending a user data request containing the user ID and file ID to the Li-Fi ceiling unit / access point. The access point has a specific location ID (access point IP / ID). The access point generates an access request that includes a file ID, a user ID, and a location ID from among other information. This request is sent to the file system 4. The file system 4 first authenticates that the user ID is authorized to access the file. If not, the system 4 denies access to the data. If the authentication is successful, the file system 4 sends the user ID and the location ID to the location access server 5. The location access server 5 verifies that the access point with the specific location ID is within the set of allowable access points for the particular user ID, i.e., within the geofence of the user. It responds to the file system 4 in a binary Yes / No response. If the response from the location access server 5 is "no ", a possible security violation is detected. The file system 4 then notifies the network security system 6 of the location ID and user ID of the illegal access attempted. The file system 4 can be used for both the user ID (as judged by the file server) and the location ID (as judged by the location access server) when access to the file is granted and only when the Li-Fi ceiling unit / And transmits the requested data to the user via the desktop unit. Otherwise, access to specific data is denied.

Figure 6 shows a flow diagram for a geofencing data access protocol. The dashed line represents the basic mechanism by which a set of allowable access points (i.e., geofences) on a location access server can be updated when a desktop unit is connected to a new ceiling unit / access point. This includes monitoring the user's location, e.g., verifying that the user has moved to the new access point 1, and verifying that the user has been granted access from the new access point. If so, a set of allowable access points called so-called geofences is defined in the vicinity of the user's current access point. The verification performs whether the new ceiling unit / access point is within the previous geofence or it is an external / illegal access attempt. Any illegal attempts are communicated to the network security system 6.

Geofencing allows access to the network with features such as where the user is and where the user is moving. This is done by activating a specific set of Li-Fi access points in the vicinity of the user's current location and changing the set as the user moves around. For example, if an employee wishes to access the network from a conference room, the system will be trained to confirm (record) the movement (path) from the employee's normal location to the coffee room. In the beginning, employees can access the network from the Li-Fi access point (light) on their desk and the lights in the immediate vicinity. After being registered with nearby Li-Fi access points and handed over there, they are allowed to connect to the next neighbors. From one light to the next, each Li-Fi access point will verify that the employee / user is moving.

By using geofencing, in the Li-Fi system of the present invention, network access moves with the associated individual. In conventional systems where employees access security files from a network connection at their desk, a motivated attacker can use the appropriate credentials to penetrate the organization and gain access to confidential information. In a geofenced Li-Fi system, an attacker would be able to access the network with appropriate credentials only in the vicinity of the employee. Instead of ensuring a specific location, the organization may now only guarantee the users concerned. That is, physical security is related to the cyber security area.

As mentioned previously, most of the cyber attacks are the result of social engineering, that is, manipulation or selfish use of human users by the system. Providing an additional gating process may minimize the attack surface of the wireless network, but this technique is less effective for attacks from within. To detect and prevent network security breaches that are the result of social engineering, the system needs to establish when users behave abnormally. Due to the high density of Li-Fi ceiling units / access points, it is possible for the user to simply determine the current position of the user simply based on the access point to which the user is connected. This allows the network 3 to track the user as they move through the network 3. [ By storing this data, statistical analysis over a large and sufficient data set provides the system with a model of the user's typical behavior patterns when accessing the network 3. This behavior can be made from additional data points such as access time, file accessed, network access frequency, and the like. By establishing an average behavioral model, anomalous behavior becomes detectable.

Figure 7 shows a system for Li-Fi behavior modeling. As before, multiple ceiling units / access points and desktop units are included in the basic network access. User authentication is performed in the file server 4, and anomaly detection is performed in the data and analysis server 7. Figure 7 shows a typical message exchange protocol for behavior modeling. A user with a specific user ID requests the network to access the network from the currently connected Li-Fi ceiling unit / access point. This is done by sending a user data request including the user ID and file ID from the user device to the Li-Fi ceiling unit / access point. The access point generates an access request using a user ID, a file ID, and its own location ID. This access request is sent to the file system 4. The file system 4 first authenticates that the user ID is authorized to access the file. If not, the system 4 denies access to the data. If authentication is successful, the file system 4 sends the user ID, location ID, requested file ID and additional desired parameters to the data and analysis server 7. The access request information received from the file system 4 is added to the profile of the specific user ID and included as a factor in the statistical model of the user's network access behavior.

Anomaly detection algorithms investigate whether the current access is abnormal or within the user ' s general pattern. If the data and analysis server 7 determines an anomalous network access event, a possible security violation is detected. The data and analysis server 7 then notifies the network security system 6 of the location ID and user ID of the illegal access suspected. The file system 4 sends the requested data to the user via the Li-Fi ceiling unit / access point 1 and the desktop unit 2 if the user is allowed to access the file / data. Otherwise, access to certain data is denied. A flow diagram depicting the flow of information above is shown in FIG.

If anomalous access to the network is detected, this does not prevent the user from accessing the data. This is a matter of implementation, and anomalous network access can result in blocking actions in case of legitimate anomalous access blocked by the system, allowing file access, and reporting additional protection measures. However, the network security system 6 still recognizes anomalous access if the anomalous access can be access resulting from human manipulation / selfish use.

In all of the examples described above, additional security may be provided using encryption linked to the location of the access point and / or the user device. For an access point, the downloaded files are encrypted, for example, with a high level of hardware accelerated encryption at the access point where the files are accessed. The software of the access point monitors the connection between the user device and the access point. As soon as the user disconnects from the Li-Fi access point, the network control software can delete the trace of the file and work session and leave an encrypted copy of the work session. This results in temporarily inaccessible files that have already been downloaded, except when connected to a particular access point that downloads the files. Additionally or alternatively, the encrypted file may only be accessible by a particular user device / desktop unit having access to the decryption key. This may be done by allowing the file to be encrypted to the user device so that the file is only accessible from the same device, or by storing the encryption key in the user device. In this case, the public key of the user device may be used by another device to encrypt the file when uploading to the network, and the intended desktop unit with the private key may access the file. Thus, access point encryption can implement two layers of hardware enable encryption, connecting access to a specific location, and desktop unit encryption connecting access to a particular user or device.

All aspects of the present invention increase network security of the system as a whole while increasing mobility in the system. In particular, Li-Fi provides a detailed level of information required to make predictive statistical user behavior models effective to minimize the likelihood of human error. In addition, the Li-Fi ceiling unit can act as a hardware enabling encryption device, ensuring that any file on the host laptop can not be decrypted outside of the specified conditions. That is, before publishing any file, the system will request a key from the network, available only through Li-Fi access points, providing a detailed log of what information has been accessed on the network. The physical device behaves as a key that generally allows access to the network as well as access to files stored on the local machine.

It will be understood by those of ordinary skill in the art that changes in the disclosed configuration are possible without departing from the invention. Accordingly, the above description of specific embodiments is merely exemplary in nature and not of limitation. It will be apparent to those of ordinary skill in the art that minor modifications may be made without significantly altering the operation described.

1: Li-Fi enabled LED lamp / access point
2: User Li-Fi Desktop Unit
3: Network
4: File system / server
5: Location Access Server
6: Network security system
7: Data and Analysis Server

Claims (25)

1. A light-enabled security system for allowing a user device to access a file or data on a network, each user device having a user ID, each file / data having a file /
The system includes a plurality of optical-enabled user access points for allowing access to the network over an optical communication channel,
Each optical-enabled user access point is associated with a unique location ID and is operative to configure a network access request in response to a file / data request from a user device,
Wherein the network access request includes the user device ID, the unique user access point location ID, and the requested file ID,
Wherein the system receives the network access request and uses the network access request to determine whether access to the file / data is permitted or denied based on the user ID, the location ID and the file ID. . The method according to claim 1,
A plurality of optical enabled portable user devices for communicating with the access point using light,
Each device is associated with a unique user ID. 3. The method according to claim 1 or 2,
Each optical enabled portable user device transmits light to the light enabled user access point using light of a first wavelength and receives light of a second different wavelength from the light enabled user access point. 4. The method according to any one of claims 1 to 3,
A plurality of secure wireless networks may be defined using the light-enabled user access point, and each access point may be associated with an illumination region of the access point and / or a surrounding physical structure, such as walls or ceiling, ≪ / RTI > wherein the security system has a spatial coverage limited by. 5. The method according to any one of claims 1 to 4,
Wherein the system determines whether access is granted or denied using (1) the user ID and the file ID, and (2) the user ID and the location ID. 6. The method of claim 5,
The system includes a first processor or server for determining whether access is permitted or denied using the user ID and the file ID, and a second processor or server for determining whether access is permitted or denied using the user ID and the location ID A second processor or server. The method according to claim 5 or 6,
The system first determines whether access is authorized or denied using the user ID and the file ID, and then uses the user ID and the location ID to determine whether access is permitted or denied. 8. The method according to any one of claims 1 to 7,
Wherein the system determines whether access is granted or denied using (1) the user ID and the file ID, and (2) the file ID and the location ID. 9. The method of claim 8,
The system includes a first processor or a server for determining whether access is permitted or denied using the user ID and the file ID, and a second processor or server for determining whether access is permitted or denied using the file ID and the location ID A second processor or server. 10. The method according to claim 8 or 9,
The system first determines whether access is authorized or denied using the user ID and the file ID, and then uses the file ID and the location ID to determine whether access is permitted or denied. 11. The method according to any one of claims 1 to 10,
Wherein the system identifies a current location of the user device, defines a group or set of optical-enabled user access points in the vicinity of the user device to which access is granted, and stores the details of the group. 12. The method of claim 11,
Wherein the system continuously monitors the location of the user and updates the group or set of optical-enabled user access points for which access is authorized. 13. The method according to claim 11 or 12,
Wherein the system identifies an attempt to access the network from an access point outside of the group or set of defined optical-enabled user access points in the vicinity of the user device. 14. The method of claim 13,
Wherein the system generates an alert indicating an illegal access if an attempt to access the network is identified. 15. The method according to any one of claims 1 to 14,
Wherein the system stores information related to a user's use of the system and uses the information to identify potentially anomalous behavior. 16. The method according to any one of claims 1 to 15,
Wherein the system stores details of a location of the user device so that the user device can track the location of the user device. 17. The method of claim 16,
Each access point is associated with an indoor location, e.g., a particular room or area within a building. 18. The method according to any one of claims 1 to 17,
Wherein at least one optical-enabled access point is associated with the encrypted file, and the decryption of the file is possible only when the user device is connected to the at least one optical-enabled access point. 19. The method of claim 18,
Wherein the at least one light-enabled access point is operable to encrypt the file. 20. The method according to claim 18 or 19,
Wherein the at least one light-enabled access point is operable to delete a file from the user device when the connection between the user device and the access point is broken. 20. The method according to claim 18 or 19,
Wherein only the encrypted file is usable using the user device when the connection between the user device and the access point is broken. 22. The method according to any one of claims 1 to 21,
Wherein at least one user device is associated with an encrypted file or data, and wherein the file or data is only accessible by the user device. 23. The method according to any one of claims 1 to 22,
Wherein the at least one user device comprises encryption and / or decryption hardware or software. 24. The method according to any one of claims 1 to 23,
Wherein the user access point is operative to receive light of different wavelengths, each wavelength being associated with a different level of access. 24. An optically enabled portable user device for use in a system of any one of claims 1 to 24, wherein the device is operative to transmit a user ID and a file ID with a network request.

Images